Penetration testing, or “pen testing” as it’s also called, is a crucial component to a whole series of different procedures that all form part of a general security audit as it’s applied to databases, internal networks, servers and online systems in general. The term can also be used to describe tests of physical infrastructure, but we’re focusing here on the digital side of things.
For any organization that’s dedicated to taking its digital protection seriously, a robust and well organized pen test conducted by industry professionals is an essential thing to schedule for a number of important reasons.
An Overview of Penetration Testing
You can divide penetration tests into two broad categories: Unannounced tests and announced tests. The former are tests conducted with only the knowledge of the examiners, or “attackers” and the people who ordered the test; the latter are tests which everybody in an organization has been made aware of and told to plan for.
Of the two, unannounced tests are probably the better option since they more closely simulate a real attack/intrusion situation. After all, hackers and malicious code normally don’t announce their arrival in advance and give everyone time to prepare. The ideal penetration test is one which is conducted without warning and the ideal security protocol should be thorough enough to deal with this element of surprise.
Following a pen test, the agency that gave it will normally offer up an audit of what they found, highlighting all strengths, weaknesses and any unusual discoveries such as previous hacks, and then make recommendations for improvements and toughening of protection protocols.
The overwhelming majority of tests will probably go smoothly and their main discoveries, if any are found, will consist of code errors that can cause problems, un-updated software, plugins and applications (the cause of most intrusion entry points), site design flaws, open spots in data entry points, configuration errors and software bugs.
More than anything else, the likelihood is greatest of main weaknesses being found in holes around attached third party software and applications, and the lack of protective barriers in certain crucial places.
Why You Need to Conduct Penetration Tests
Until you simulate a live attack on your valuable data and systems or actually suffer a real intrusion/hack attempt, you will never be 100% sure that your systems are strong enough to protect your valuables. Of the two, it’s much better to go through the former since its being done under your control and without any long term consequences that can damage your reputation or cost you thousands to millions in damages.
Let’s take a recent high profile case of intrusion disaster as an example of what penetration testing can save you from by revealing your organizations data protection weaknesses. In summer of 2012, the social networking site LinkedIn, with well over 150 million members and a formidable internal security team on its payroll, was breached by hackers who accessed its internal servers and stole over 6 million user passwords that had been stored on unencrypted documents. They aren’t alone; other major firms such as Sony, Nintendo, AT&T and even the U.S Defense Department have all suffered the same fate.
As you can see, penetration tests are important and having them done well in advance of your first intrusion can let you discover exactly what will protect you when that real, live hack attempt actually arrives. The cost of not knowing can range from minor information leaks to system crashes and can also end up costing you immensely in terms of client trust if hackers should find a way to get their hands on your clients valuable information because you left key access points wide open for them.
What Should Penetration Tests Cover?
The scope and specific nature of a pen test will vary considerably and is something that you’ll have to discuss in detail with the third party service provider that you decide to hire –especially after checking their references and screening them thoroughly. However, a few basics that should be probed for security weaknesses include:
- All external and internal firewalls (both software and hardware versions).
-off the shelf hardware such as servers, routers, wireless systems and smart phones or tablets that connect to your systems.
-software apps, games, CMS systems, plugins and any third party script addons to your servers, websites or networks.
-all wireless access connections such as WiFi, RFID etc.
-Telephone and video conferencing systems such as VOIP, video calling apps, fax servers and telepresence systems.
-programming code for websites and any interface software that you’ve designed for your online presence
Photo credit: Wikimedia Commons